b"                   DEPARTMENT OF HEALTH AND HUMAN SERVICES\n\n\n              OFFICE OF INSPECTOR GENERAL\n                                    WASHINGTON, DC 20201\n\n\n                                      APR 11 2014\nTO:           Marilyn Tavenner\n              Administrator\n              Centers for Medicare & Medicaid Services\n\n               Leon Rodriguez \n\n               Director \n\n               Office for Civil Rights \n\n                         /S/\nFROM:          Brian P. Ritchie\n               Acting Deputy Inspector General\n                for Evaluation and Inspections\n\n\nSUBJECT: \t Memorandum Report: Offshore Outsourcing ofAdministrative Functions\n           by State Medicaid Agencies, OEI-09-12-00530\n\n\nThis memorandum report provides information about State Medicaid agencies'\nrequirements for outsourcing administrative functions offshore. Outsourcing occurs\nwhen Medicaid agencies enter into agreements with contractors to perform administrative\nfunctions. Outsourcing can occur inside the United States (domestic outsourcing) or\noutside (offshore outsourcing). In 2011, an Office oflnspector General (OIG) review\nfound that one Medicaid agency was unaware that a contractor had sent electronic copies\nof Medicaid claims offshore for processing. This Medicaid agency inquired whether OIG\nhad information regarding how States regulate offshore outsourcing. In response, we\ninitiated the current study, obtaining information from all 56 Medicaid agencies regarding\ntheir requirements and practices for outsourcing administrative functions offshore. This\nmemorandum report summarizes the information we collected from those States.\n\nSUMMARY\n\nOnly fifteen of fifty-six Medicaid agencies have some form of State-specific requirement\nthat addresses the outsourcing of administrative functions offshore. The remaining\n41 Medicaid agencies reported no offshore outsourcing requirements and do not\noutsource administrative functions offshore. Among the 15 Medicaid agencies with\nrequirements, 4 Medicaid agencies prohibit the outsourcing of administrative functions\noffshore and 11 Medicaid agencies allow it. The 11 Medicaid agencies that allow\noffshore outsourcing of administrative functions each maintained Business Associate\nAgreements (BAAs) with contractors, which is a requirement under the Health Insurance\nPortability and Accountability Act (HIPAA). Among other purposes, BAAs are intended\nto safeguard protected health information (PHI). These 11 Medicaid agencies do not\nhave additional State requirements that specifically address safeguarding PHI.\n\x0cPage 2 \xe2\x80\x93 Marilyn Tavenner and Leon Rodriguez\n\n\n\nSeven of the eleven Medicaid agencies that allow offshore outsourcing of administrative\nfunctions reported that they outsource offshore through subcontractors, but none reported\nsending PHI offshore. If Medicaid agencies engage in offshore outsourcing of\nadministrative functions that involve PHI, it could present potential vulnerabilities. For\nexample, Medicaid agencies or domestic contractors that send PHI offshore may have\nlimited means of enforcing provisions of BAAs that are intended to safeguard PHI.\nAlthough some countries may have privacy protections greater than those in the United\nStates, other countries may have limited or no privacy protections.\n\nBACKGROUND\n\nThe Medicaid Program\nMedicaid is a joint Federal and State program that provides health care coverage to\nlow-income and medically needy populations, such as children, senior citizens, and\npeople with disabilities. States administer the Medicaid program subject to Federal\nguidelines and policies established by the Centers for Medicare & Medicaid Services\n(CMS).1 For example, States establish\xe2\x80\x94within Federal parameters\xe2\x80\x94their own eligibility\nrequirements, health care benefit packages for beneficiaries, and provider reimbursement\nrates. Medicaid agencies must cover acute and long-term care services that include, but\nare not limited to, inpatient and outpatient hospital services; laboratory and x-ray\nservices; and nursing home facilities and home health care.2 In addition, Medicaid\nagencies may choose to cover optional services such as prescription drugs, durable\nmedical equipment, and personal care services.3\n\nMedicaid Agencies\xe2\x80\x99 Administrative Functions\nMedicaid agencies perform a variety of functions, usually through the integration of\ninformation technology (IT) or data systems, to support the administration of the\nMedicaid program. Medicaid administrative functions include, but are not limited to:4\n    \xef\x82\xb7 enrolling eligible individuals,\n    \xef\x82\xb7 determining what benefits the Medicaid agency will cover,\n    \xef\x82\xb7 determining how much the Medicaid agency will pay for covered benefits and\n       from whom it will purchase services (i.e., fee-for-service and managed care\n       plans),\n    \xef\x82\xb7 having a system for processing claims from fee-for-service providers and making\n       capitation payments to managed care plans,\n    \xef\x82\xb7 monitoring the quality of the services that the Medicaid agency purchases,\n    \xef\x82\xb7 ensuring that State and Federal health care funds are not spent improperly or\n       fraudulently,\n    \xef\x82\xb7 collecting program information and reporting it to CMS, and\n    \xef\x82\xb7 resolving grievances from applicants, beneficiaries, providers, and health plans.\n\n\n1\n  Social Security Act (SSA) \xc2\xa7\xc2\xa7 1901\xe2\x80\x931936, 42 U.S.C. \xc2\xa7\xc2\xa7 1396\xe2\x80\x931396v. \n\n2\n  42 CFR \xc2\xa7 440.210.\n\n3\n  42 CFR \xc2\xa7 440.220.\n\n4\n  See generally SSA \xc2\xa7 1902(a), 42 U.S.C. \xc2\xa7 1396a(a). \n\n\n\nOffshore Outsourcing of Medicaid Administrative Functions (OEI-09-12-00530)\n\x0cPage 3 \xe2\x80\x93 Marilyn Tavenner and Leon Rodriguez\n\n\n\nOutsourcing of Medicaid Administrative Functions\nAlthough Federal law requires that each State designate a single State agency to\nadminister the State\xe2\x80\x99s Medicaid program, Medicaid agencies have the authority to\ndelegate or outsource their administrative functions to other State agencies and/or\ncontractors.5, 6 Medicaid agencies may outsource by entering into agreements with\ncontractors to perform specific administrative functions on a periodic or routine basis.\nThese contractors may be private companies identified as covered entities,7 business\nassociates,8, 9 or trading partners.10\n\nMedicaid agencies may outsource directly, i.e., through contractors, or indirectly,\ni.e., through subcontractors. Direct offshore outsourcing occurs when a Medicaid agency\ncontracts with an offshore contractor. Indirect offshore outsourcing occurs when a\nMedicaid agency\xe2\x80\x99s contractor subcontracts to an offshore contractor. In a 2006 report on\n45 State Medicaid agencies, the Government Accountability Office (GAO) found that at\nleast one Medicaid agency directly outsourced offshore and at least one Medicaid agency\nindirectly outsourced offshore. GAO stated that such reporting may be understated\nbecause many Federal contractors and agencies did not know whether their domestic\nvendors transferred personal health information to other locations or vendors.11\nMoreover, the GAO report did not assess States\xe2\x80\x99 compliance with existing HIPAA\nregulations.\n\n\n\n\n5\n  SSA \xc2\xa7 1902(a)(5), 42 U.S.C. \xc2\xa7 1396a(a)(5).\n6\n  42 CFR \xc2\xa7 431.10.\n7\n  Covered entities are health plans, clearinghouses, and providers that electronically transmit PHI.\nExamples of PHI include a beneficiary\xe2\x80\x99s name, Medicaid number, billing transactions, and date of birth.\nPHI can be transmitted in electronic, oral, or paper formats. The HIPAA Privacy Rule provides Federal\nsafeguards to maintain the privacy of PHI. Health plans, including Medicare and Medicaid, provide or pay\nfor the cost of health care. Clearinghouses process and convert health information from one format to\nanother. Health care providers include physicians and pharmacies that electronically submit PHI for\nfinancial or administrative transactions, such as beneficiary claims. 45 CFR \xc2\xa7 150.103.\n8\n  Business associates are persons or organizations that perform certain functions involving the use or\ndisclosure of PHI on behalf of a covered entity. Business associates are subject to the HIPAA Privacy\nRule. 45 CFR \xc2\xa7 150.103.\n9\n  Covered entities and business associates must have BAAs. Covered entities are required to have BAAs\nfor \xe2\x80\x9cdownstream\xe2\x80\x9d outsourcing\xe2\x80\x94i.e., when the original outsourcing contract is followed by one or more\nsubcontracting arrangements. In such cases, BAAs must establish the conditions under which downstream\ncontractors may use and disclose PHI and must include the required privacy safeguards. 45 CFR\n\xc2\xa7\xc2\xa7 150.103 and 165.504(e).\n10\n   Trading partners are entities that transmit electronic health data to covered entities, business associates,\nproviders/suppliers, and software vendors, or that receive such data. Trading partners are subject to the\nHIPAA Privacy Rule.\n11\n   GAO, Domestic and Offshore Outsourcing of Personal Information in Medicare, Medicaid, and\nTRICARE, GAO-06-676, September 2006.\n\n\nOffshore Outsourcing of Medicaid Administrative Functions (OEI-09-12-00530)\n\x0cPage 4 \xe2\x80\x93 Marilyn Tavenner and Leon Rodriguez\n\n\nFederal Requirements for Offshore Outsourcing\nThere are no Federal regulations that prohibit the offshore outsourcing of Medicaid\nadministrative functions. CMS requires that Medicare contractors or subcontractors\nobtain written approval prior to performing system functions12 offshore.13 Although there\nare no similar requirements from CMS for Medicaid, CMS has issued guidance in\naccordance with the Affordable Care Act (ACA) stating that Medicaid agencies are\npermitted to provide payments to contractors operating offshore for tasks\xe2\x80\x94including\nadministrative functions\xe2\x80\x94that support the administration of the Medicaid program.14, 15\n\nMETHODOLOGY\n\nWe conducted an electronic survey of all 56 Medicaid agencies.16 In May 2013, we\nasked these agencies (1) whether they had any policies, Executive Orders, State laws, or\ncontract requirements (collectively, \xe2\x80\x9crequirements\xe2\x80\x9d) that addressed the outsourcing of\nadministrative functions offshore17 and (2) whether they directly or indirectly outsourced\nadministrative functions offshore.\n\nFor Medicaid agencies with outsourcing requirements, we asked whether the\nrequirements included provisions specifically addressing PHI and whether the Medicaid\nagencies monitor contractors\xe2\x80\x99 compliance with the outsourcing requirements. We\nrequested their requirements and BAAs, and we reviewed the requirements to identify the\ntype or form of the requirement. For the Medicaid agencies that outsource administrative\nfunctions offshore, we asked what types of administrative functions are outsourced\noffshore. In June 2013, we conducted telephone interviews, as needed, with selected\nMedicaid agencies to clarify survey responses, and in some cases, we clarified\ninconsistent survey responses via email.\n\nThis study was conducted in accordance with the Quality Standards for Inspection and\nEvaluation issued by the Council of the Inspectors General on Integrity and Efficiency.\n\n\n\n12\n   Medicare system functions include, but are not limited to, the transmission of electronic claims, receipt\nof remittance advice, or any system access to obtain beneficiary PHI and/or eligibility information.\n13\n   Medicare Fee For Service Standard Companion Guide, page 18. Accessed at\nhttp://www.medicarenhic.com/edi/download/J14%20PART%20B%20Medicare%20FFS%205010A1%20C\nompanion%20Guide.pdf on May 25, 2012. Appendix A, CMSR High Impact Level Data, Section SA-9.\nAccessed at http://www.cms.gov/informationsecurity/downloads/ARS_App_A-CMSR_HIGH.pdf on\nMay 25, 2012.\n14\n   ACA, P.L. No. 111-148, \xc2\xa7 6505.\n15\n   Although Medicaid agencies cannot pay for health care benefits or services to any entity located offshore\nor provided by offshore providers, payments for administrative functions are permitted. CMS, State\nMedicaid Directors Letter #10-026, December 2010.\n16\n   Medicaid agencies include those in the District of Columbia, the Commonwealth of Puerto Rico, the\nUnited States Virgin Islands, Guam, American Samoa, and the Commonwealth of the Northern Mariana\nIslands.\n17\n   We sent letters to each State Medicaid Director requesting contact information for the person or persons\nknowledgeable about whether the agency outsources administrative functions offshore. We then sent the\nsurvey to those contacts. In some cases, State Medicaid Directors identified themselves as the appropriate\ncontact.\n\n\nOffshore Outsourcing of Medicaid Administrative Functions (OEI-09-12-00530)\n\x0cPage 5 \xe2\x80\x93 Marilyn Tavenner and Leon Rodriguez\n\n\nRESULTS\n\nFifteen Medicaid agencies have requirements addressing the offshore outsourcing of\nadministrative functions\nOnly one-quarter (15 of 56) of Medicaid agencies reported having some form of\nrequirement addressing the offshore outsourcing of Medicaid administrative functions.\nOf those 15 Medicaid agencies, 11 have requirements that allow such offshore\noutsourcing. Nine of the eleven Medicaid agencies have requirements that allow offshore\noutsourcing with very few restrictions, and 2 of the 11 have requirements that allow\noffshore outsourcing only under limited circumstances. The remaining 4 of the\n15 Medicaid agencies have requirements that prohibit the offshore outsourcing of\nadministrative functions. None of the 41 States without such requirements reported\noutsourcing Medicaid administrative functions offshore.\n\nNine Medicaid agencies have requirements allowing offshore outsourcing with very few\nlimitations. Among the nine Medicaid agencies that allow offshore outsourcing with\nvery few limitations, three agencies addressed offshore outsourcing through Executive\nOrders, State laws, or a Medicaid agency policy manual. The remaining six Medicaid\nagencies addressed offshore outsourcing through contract provisions. All nine Medicaid\nagencies allow indirect offshore outsourcing\xe2\x80\x94i.e., they allow their direct contractors to\nhave offshore subcontractors. Two of these Medicaid agencies also allow direct offshore\noutsourcing, in which the Medicaid agency contracts with offshore contractors for\nadministrative functions. Two other Medicaid agencies allow indirect offshore\noutsourcing, but specifically prohibit direct offshore outsourcing. (Table 1 shows details\non the nine agencies that allow offshore outsourcing with very few limitations.)\n\nAccording to the requirements that these nine Medicaid agencies have in place, the\nagencies must approve any contractor requests to outsource administrative functions\noffshore. Among the nine Medicaid agencies, views and practices regarding offshore\noutsourcing varied\xe2\x80\x94some reported that they outsource offshore on a case-by-case basis,\nsome reported giving preference to domestic contractors, and some reported that they\ngenerally do not view the offshore outsourcing of administrative functions any differently\nthan they view domestic outsourcing.\n\n\n\n\nOffshore Outsourcing of Medicaid Administrative Functions (OEI-09-12-00530)\n\x0cPage 6 \xe2\x80\x93 Marilyn Tavenner and Leon Rodriguez\n\nTable 1: Description of Nine Medicaid Agencies\xe2\x80\x99 Requirements Allowing Offshore\nOutsourcing of Administrative Functions with Very Few Restrictions\n\n                                                           Description                         Does the\n                           Form of      Description of\n                                                                 of the      Does the     State monitor\n State Medicaid                 18    the requirement\n                     requirement                          requirement     requirement        contractor\n agency                                      for direct\n                                                           for indirect    specifically     compliance\n                                              offshore\n                                                              offshore        address           with the\n                                          outsourcing\n                                                          outsourcing             PHI?    requirement?\n\n\n Florida                State law19    No requirement           Allows              No              Yes\n\n\n                           Contract\n Massachusetts           provisions    No requirement           Allows              No              Yes\n\n\n                           Contract\n Mississippi             provisions    No requirement           Allows              No              Yes\n\n\n                           Contract\n Montana                 provisions           Prohibits         Allows              No              Yes\n\n\n                           Contract\n New Mexico              provisions           Prohibits         Allows              No              Yes\n\n\n                           Contract\n North Dakota            provisions    No requirement           Allows              No              Yes\n\n\n                         Executive\n                                 20\n Pennsylvania              Order                Allows          Allows              No              Yes\n\n\n                           Contract\n Rhode Island            provisions    No requirement           Allows              No              Yes\n\n\n                    Medicaid Policy\n Tennessee                 Manual               Allows          Allows              No              Yes\n\n\n\n\nThe nine Medicaid agencies did not have offshore outsourcing requirements that\nspecifically addressed the safeguarding of PHI. Instead, these nine Medicaid agencies\nrequire contractors and subcontractors to have BAAs complying with HIPAA\nrequirements for the protection of PHI. HIPAA requires that BAAs specify the\ncontractor\xe2\x80\x99s responsibilities for safeguarding PHI, the circumstances under which PHI\n\n18\n   In their contract provisions, Medicaid agencies may reiterate and/or expand on the requirements they\nhave already specified elsewhere (e.g., in Executive Orders, State law, and Medicaid policy manuals).\n19\n   The Medicaid agency allows indirect offshore outsourcing for managed care organizations and prepaid\nhealth plans; however, certain statutory and/or contractual restrictions exist. For example, contract\nprovisions may require that some administrative functions be performed in a domestic location.\n20\n   Contractors must identify during the procurement process whether they or any subcontractor will perform\nadministrative functions offshore. During the selection of contractors, the State may give additional\nconsideration to contractors that will perform services within the United States.\n\n\nOffshore Outsourcing of Medicaid Administrative Functions (OEI-09-12-00530)\n\x0cPage 7 \xe2\x80\x93 Marilyn Tavenner and Leon Rodriguez\n\n\nmay be used and disclosed, and the requirements for reporting PHI violations or\nbreaches. However, for all nine agencies, BAAs did not specifically address the offshore\noutsourcing of administrative functions involving PHI. If Medicaid agencies engage in\noffshore outsourcing of administrative functions that involve PHI, it could present\npotential vulnerabilities. For example, Medicaid agencies or domestic contractors who\nsend PHI offshore may have limited means of enforcing provisions of BAAs that are\nintended to safeguard PHI. Although some countries may have privacy protections\ngreater than those in the United States, other countries may have limited or no privacy\nprotections to support HIPAA compliance.\n\nAll nine Medicaid agencies reported that they monitored contractors to ensure\ncompliance with the agencies\xe2\x80\x99 requirements on offshore outsourcing. Although some of\nthese Medicaid agencies reported that they directly monitor subcontractors, other\nMedicaid agencies reported that they rely on contractors to monitor subcontractors.\nExamples of monitoring activities reported by the nine Medicaid agencies included\napproving contractors\xe2\x80\x99 requests to subcontract; conducting ongoing reviews of\ncontractors\xe2\x80\x99 and/or subcontractors\xe2\x80\x99 policies and procedures; and requiring performance\nreports from contractors. These activities may vary based on the scope of the contract.\n\nTwo Medicaid agencies have requirements allowing offshore outsourcing only under\nlimited circumstances. Two Medicaid agencies addressed offshore outsourcing through\nan Executive Order or a State law. As shown in Table 2, both of these Medicaid agencies\nallow offshore outsourcing directly and indirectly.\n\n\n\n\nOffshore Outsourcing of Medicaid Administrative Functions (OEI-09-12-00530)\n\x0cPage 8 \xe2\x80\x93 Marilyn Tavenner and Leon Rodriguez\n\nTable 2: Description of Two Medicaid Agencies\xe2\x80\x99 Requirements Allowing Offshore\nOutsourcing of Administrative Functions Only Under Limited Circumstances\n                                      Description\n                                                          Description        Examples of          Does the          Does the\n                                            of the\n State                 Form of                                  of the    circumstances        requirement     State monitor\n                                     requirement\n Medicaid                    21                          requirement         under which        specifically      contractor\n                 requirement            for direct\n agency                                                   for indirect          offshore           address       compliance\n                                         offshore\n                                                             offshore     outsourcing is               PHI?          with the\n                                     outsourcing\n                                                         outsourcing             allowed                       requirement?\n\n                                                                              Contractor or\n                                                                             subcontractor\n                                                                         must meet one of\n                                                                           four conditions,\n                                                                         such as providing\n                                                                          a unique service\n                                                                         that is mandatory\n                                                                            for the State to\n                       Executive                                                  purchase\n Missouri                Order22            Allows              Allows                                   No              Yes\n\n\n\n                                                                           The function or\n                                                                         service cannot be\n                                                                               provided by\n New                                                                              domestic\n Jersey                State law            Allows              Allows        contractor or              No              Yes\n                                                                             subcontractor\n\nSource: OIG analysis of State survey responses and regulations, 2013.\n\n\nOne Medicaid agency reported that State agencies must award contracts to domestic\ncontractors unless certain circumstances exist\xe2\x80\x94for example, the contractor or\nsubcontractor provides a unique service that is mandatory for the State agency to\npurchase. The second Medicaid agency reported that all contracts awarded by the State\nmust be performed domestically except when the contracted services cannot be provided\nwithin the United States. In such cases, the contractor and subcontractor must specify\nwhy these services cannot be performed domestically. Both Medicaid agencies reported\nthat they must approve offshore outsourcing contracts. For more information about the\ntwo Medicaid agencies\xe2\x80\x99 regulations, see the Appendix.\n\nSimilar to the nine Medicaid agencies that allow offshore outsourcing with very few\nlimitations, these two Medicaid agencies do not have requirements that specifically\naddress PHI. However, these two Medicaid agencies include requirements to protect PHI\nin BAAs with all contractors and subcontractors. In both States, the Medicaid agency\ncontractors must also have BAAs with their respective subcontractors that include similar\nrequirements for protecting PHI.\n\nBoth Medicaid agencies reported monitoring contractors and subcontractors. For\nexample, one of the Medicaid agencies reported that all contract requirements are\nmonitored for compliance by the contract administrator and by the State agency\nresponsible for oversight of State contracts.\n21\n   As noted in Footnote 18, Medicaid agencies may use contract provisions to reiterate and/or expand on\n\nrequirements they have already specified elsewhere. \n\n22\n   Contractors must disclose the location where all services are performed. \n\n\n\nOffshore Outsourcing of Medicaid Administrative Functions (OEI-09-12-00530)\n\x0cPage 9 \xe2\x80\x93 Marilyn Tavenner and Leon Rodriguez\n\n\nFour Medicaid agencies have requirements prohibiting offshore outsourcing. Of the four\nMedicaid agencies with requirements prohibiting the offshore outsourcing of\nadministrative functions, three rely on Executive Orders that prohibit such outsourcing\nand one relies on contract provisions that prohibit it. All four Medicaid agencies reported\nmonitoring contractors and subcontractors to ensure compliance with the agencies\xe2\x80\x99\nregulations. For example, contractors and subcontractors sign attestations of compliance\nwith the Medicaid policies, disclose the location where all work is performed, and/or\nprovide the primary place of business for the contractor or any subcontractor.\n\nSeven Medicaid agencies reported currently outsourcing Medicaid administrative\nfunctions offshore\nSeven of the fifty-six Medicaid agencies reported that they currently outsource\nadministrative functions offshore; all seven of these have requirements allowing offshore\noutsourcing. As shown in Table 3, all seven Medicaid agencies indirectly outsource\noffshore, and one of the seven also directly outsources offshore.\n\n Table 3: Description of the Seven Medicaid Agencies\xe2\x80\x99 Practices for Outsourcing \n\n Administrative Functions Offshore \n\n\n                                                                        Examples of\n State Medicaid                Form of requirement          administrative functions       Type(s) of offshore\n agency                                                        outsourced offshore               outsourcing\n\n\n Florida                                     State law                               IT                 Indirect\n\n\n\n Massachusetts                    Contract provisions                                IT                 Indirect\n\n\n                                                                    No specific types or\n Mississippi                      Contract provisions                         examples                  Indirect\n\n\n                                                                    No specific types or\n Missouri                             Executive Order                         examples       Direct and indirect\n\n\n                                                                    No specific types or\n Montana                          Contract provisions                         examples                  Indirect\n\n\n North Dakota                     Contract provisions                                IT                 Indirect\n\n\n Rhode Island                     Contract provisions                                IT                 Indirect\n\nSource: OIG analysis of State survey responses and regulations, 2013.\n\n\nFour of the seven Medicaid agencies reported that the most common type of\nadministrative function that is outsourced offshore relates to IT. For example, a\nMedicaid contractor in one State reported that it outsourced the Medicaid Management\nInformation System (MMIS) implementation projects to offshore programmers and\n\n\n\n\nOffshore Outsourcing of Medicaid Administrative Functions (OEI-09-12-00530)\n\x0cPage 10 \xe2\x80\x93 Marilyn Tavenner and Leon Rodriguez\n\n\nsoftware developers.23 In another State, a domestic contractor used offshore\nsubcontractors to help develop and design a new claims processing system for the\nMedicaid agency. In this instance, the offshore subcontractor designed programming and\nsystems testing for this new system. The remaining three Medicaid agencies did not\nreport any common type of administrative functions that are outsourced offshore.\n\nAll seven Medicaid agencies reported that they do not outsource offshore any\nadministrative functions involving PHI. In fact, some of these seven Medicaid agencies\nreported that for administrative functions involving PHI, they strongly prefer to outsource\nonly domestically. For example, one of the seven Medicaid agencies explicitly reported\ndenying all requests to send offshore any administrative functions involving PHI.\n\nCONCLUSION\n\nThis memorandum report provides information about the current Medicaid environment\nfor outsourcing administrative functions offshore. As of June 2013, 15 of 56 Medicaid\nagencies had some form of State-specific requirments that addressed offshore\noutsourcing. The remaining 41 Medicaid agencies reported no offshore outsourcing\nrequirements and do not outsource administrative functions offshore. Among the\n15 Medicaid agencies with requirements, 4 Medicaid agencies prohibit the outsourcing of\nadministrative functions offshore and 11 Medicaid agencies allow it. The 11 Medicaid\nagencies that allow offshore outsourcing of administrative functions each maintain BAAs\nwith contractors, which is a requirement under HIPAA. Among other things, BAAs are\nintended to safeguard PHI. These 11 Medicaid agencies do not have additional State\nrequirements that specifically address the safeguarding of PHI. Seven of the eleven\nMedicaid agencies reported outsourcing offshore through subcontractors, but none\nreported sending PHI offshore. If Medicaid agencies engage in offshore outsourcing of\nadministrative functions that involve PHI, it could present potential vulnerabilities. For\nexample, Medicaid agencies or domestic contractors who send PHI offshore may have\nlimited means of enforcing provisions of BAAs that are intended to safeguard PHI.\nAlthough some countries may have privacy protections greater than those in the United\nStates, other countries may have limited or no privacy protections.\n\nThis report is being issued directly in final form because it contains no recommendations.\nIf you have comments or questions about this report, please provide them within 60 days.\nPlease refer to report number OEI-09-12-00530 in all correspondence.\n\n\n\n\n23\n  MMIS is a claims processing and information retrieval system for Medicaid. All Medicaid agencies\noperate an MMIS to support program administration and maintain information, such as provider enrollment\nand claims processing. Medicaid agencies may use a contractor to operate their MMIS. 42 CFR pt. 433.\n\n\n\nOffshore Outsourcing of Medicaid Administrative Functions (OEI-09-12-00530)\n\x0cPage 11 \xe2\x80\x93 Marilyn Tavenner and Leon Rodriguez\n\n\nAPPENDIX: STATE REQUIREMENTS FOR TWO MEDICAID AGENCIES\nTHAT ALLOW OFFSHORE OUTSOURCING OF ADMINISTRATIVE\nFUNCTIONS UNDER LIMITED CIRCUMSTANCES\n\nState of Missouri\xe2\x80\x99s Executive Order\n\n\n\n\nOffshore Outsourcing of Medicaid Administrative Functions (OEI-09-12-00530)\n\x0cPage 12 \xe2\x80\x93 Marilyn Tavenner and Leon Rodriguez\n\n\nAPPENDIX (continued)\n\n\n\n\nOffshore Outsourcing of Medicaid Administrative Functions (OEI-09-12-00530)\n\x0cPage 13 \xe2\x80\x93 Marilyn Tavenner and Leon Rodriguez\n\n\nAPPENDIX (continued)\n\nState of New Jersey\xe2\x80\x99s State Law\n\n\n\n\nOffshore Outsourcing of Medicaid Administrative Functions (OEI-09-12-00530)\n\x0c"